This is our old Q&A Site. Please post any new questions and answers at


how can I use Wireshark to see if a particular web site, web app is using HSTS?


asked 17 Feb, 05:35

adasko's gravatar image

accept rate: 0%

IF you can decrypt the HTTP exchange between server and client, you can check to see if the HSTS header is present in the HTTP response from the server. IF NOT then you can't.

permanent link

answered 17 Feb, 08:15

Jaap's gravatar image

Jaap ♦
accept rate: 14%

As Jaap said: If you can decrypt the traffic you will be able to see the HSTS header.

If not you can use the Web Developer tools in your browser (available in/for Chrome, Safari, Firefox, Internet Explorer) or you can configure a proxy like Fiddler to see the headers.

permanent link

answered 17 Feb, 11:22

Uli's gravatar image

accept rate: 29%

cURL does it without acting as a proxy and without having to decrypt the payload:

(17 Feb, 11:58) adasko

cURL does receive the plain text payload though, the library it uses for the TLS connection does the decryption for it.

Wireshark does not originate any connections so do not have access to the key, and hence the plain text payload unless the user provides the keying material.

(18 Feb, 02:04) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 17 Feb, 05:35

question was seen: 487 times

last updated: 18 Feb, 02:04

Related questions

p​o​w​e​r​e​d by O​S​Q​A